Effective internal control systems

Internal Controls are to be an integral part of any organization's financial and business policies and procedures. Internal controls consists of all the measures taken by the organization for the purpose of; (1) protecting its resources against waste, fraud, and inefficiency; (2) ensuring accuracy and reliability in accounting and operating data; (3) securing compliance with the policies of the organization; and (4) evaluating the level of performance in all organizational units of the organization. Internal controls are simply good business practices.

Responsibility

Everyone within the University has some role in internal controls. The roles vary depending upon the level of responsibility and the nature of involvement by the individual. The Kansas Board of Regents, President and senior executives establish the presence of integrity, ethics, competence and a positive control environment. The directors and department heads have oversight responsibility for internal controls within their units. Managers and supervisory personnel are responsible for executing control policies and procedures at the detail level within their specific unit. Each individual within a unit is to be cognizant of proper internal control procedures associated with their specific job responsibilities.

The Internal Audit role is to examine the adequacy and effectiveness of the University internal controls and make recommendations where control improvements are needed. Since Internal Auditing is to remain independent and objective, the Internal Audit Office does not have the primary responsibility for establishing or maintaining internal controls. However, the effectiveness of the internal controls are enhanced through the reviews performed and recommendations made by Internal Auditing.

Elements of Internal Control

Internal control systems operate at different levels of effectiveness. Determining whether a particular internal control system is effective is a judgement resulting from an assessment of whether the five components - Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring - are present and functioning. Effective controls provide reasonable assurance regarding the accomplishment of established objectives.

Control Environment

The control environment, as established by the organization's administration, sets the tone of an institution and influences the control consciousness of its people. Leaders of each department, area or activity establish a local control environment. This is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include:

• Integrity and ethical values;
• The commitment to competence;
• Leadership philosophy and operating style;
• The way management assigns authority and responsibility, and organizes and develops its people;

Policies and procedures

Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economics, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.

Objectives must be established before administrators can identify and take necessary steps to manage risks. Operations objectives relate to effectiveness and efficiency of the operations, including performance and financial goals and safeguarding resources against loss. Financial reporting objectives pertain to the preparation of reliable published financial statements, including prevention of fraudulent financial reporting. Compliance objectives pertain to laws and regulations which establish minimum standards of behavior.

Risk Assessment

The process of identifying and analyzing risk is an ongoing process and is a critical component of an effective internal control system. Attention must be focused on risks at all levels and necessary actions must be taken to manage. Risks can pertain to internal and external factors. After risks have been identified they must be evaluated.

Managing change requires a constant assessment of risk and the impact on internal controls. Economic, industry and regulatory environments change and entities' activities evolve. Mechanisms are needed to identify and react to changing conditions.